I'm not expert on security, but wouldn't that only apply to sites that have XSS vulnerabilities? The extension script only needs to have the same trust level as the top-level HTML in order to do its thing, in most cases.

At the moment, the ask is that users put 100% trust into some extension from the Chrome Web Store. It's not clear that Google does much to ensure that the companies are even who they say they are. It's a completely unreasonable ask, in my opinion. Then, in other areas, Google is hyper-sensitive about security. Eg. Chrome, under some circumstances, won't even let users download zip files anymore without trying to intervene. (https://code.google.com/p/chromium/issues/detail?id=423217)